Have something to say?

Ready to be published? LXer is read by around 350,000 individuals each month, and is an excellent place for you to publish your ideas, thoughts, reviews, complaints, etc. Do you have something to say to the Linux community?

SJVN on track but missed the mark...

SJVN was on track with the article, but missed the mark on an important point. Only the source tar-ball on the mirrors was compromised. So, only those who built their implementation of this package from the supplied sources was exposed to the trojan. From what I understand the CVS versions were uneffected. Most active developers are going to be building from the CVS, so there would be a reduced exposure.

He did hit it right that the package was relatively obscure,... a fact glossed over by quite a few bloggers wanting to spread FUD, or outright misrepresented by some. In reality, I do not know how many people utilize the UnrealIRC package, but I estimate that it runs in the tens,... Not tens of thousands, or tens of hundreds, but tens of people. I doubt it is used in major institutions, or in mission critical implementations.

Most of those would be getting it in pre-built *deb or *rpm packages built from the CVS, or from the CVS directly. So,... I am guessing that there were a couple, at most, real world infections. And if you asked me, I would bet that it was more likely compromised by someone who was looking to build a back door into a specific system as some form of insider espionage against that person's employer, "friend" or organization.

With open source, you will always have someone who releases their own IRC package, or a music player or whatever, with security holes. There are certainly more "amateur" programs out there with problems but no one uses them, so in that case "security through obscurity" does indeed work.